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(57) ABSTRACT 

A roaming user needing an his authentication credential 
(e.g., private key) to access a computer server to perform an 
electronic transaction may obtain the authentication creden- 
tial in an on-demand fashion from a credential server 
accessible to the user over a computer network. In this way, 
the user is free to roam on the network without having to 
physically carry his authentication credential. Access to the 
credential may be protected by one or more challenge- 
response protocols involving simple shared secrets, shared 
secrets with one-to-one hashing, or biometric methods such 
as fingerprint recognition. If camouflaging is used to protect 
the authentication credential, decamoufi aging may be per- 
formed either at the credential server or al the user's 
computer. 

52 Claims, 3 Drawing Sheets 
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Fig. 2 
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Fig. 3 
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METHOD AND APPARATUS FOR SECURE 
DISTRIBUTION OF AUTHENTICATION 
CREDENTIALS TO ROAMING USERS 

CROSS-REFERENCE TO RELATED 
APPLICATIONS 

This application is a Continuation-in-Part of pending U.S. 
patent application Scr. No. 08/996,758 Bled Dec. 23, 1997. 

BACKGROUND OF THE INVENTION 

In networked computer deployments, users of client com- 
puters are required to authenticate themselves to server 
computers for applications such as electronic mail, access- 
ing privileged or confidential information, purchasing goods 
or services, and many other electronic commerce transac- 
tions. When the information involved is of relatively low 
value, it may be sufficient for the user to authenticate himself 
with a simple password. However, when the information is 
of high value, or when the data network is unsecured, simple 
passwords are insufficient to control access effectively. For 
example, when computers are accessed across the Internet, 
passwords are easy to capture by filtering packets as they 
traverse the network. Alternatively, passwords can be 
guessed or "cracked" by intelligent trials, since passwords 
are often six or fewer characters. In brief, the convenience 
of passwords makes them easy to break — if they are suffi- 
ciently easy for the user to remember, they are sufficiently 
easy for the hacker to guess. 

To overcome the insecurity of the password, alternative 
technologies have been developed. One such technology is 
asymmetric key cryptography. In this technology, each user 
has two keys, a private key and a public key. The user 
performs a cryptographic operation (e.g., an encryption or a 
digital signature) on a digital quantity using his private key, 
such that the quantity may be authenticated by a verifier 
having access only to the user's public key. The private key 
therefore serves as the user's authentication credential. That 
is, the verifier need not know the user's private key in order 
to authenticate the user. Because the public key may be 
widely disseminated while the private key remains 
confidential, strong authentication is provided with 
enhanced security. Private keys are generally too long and 
complex for the user to memorize, and are therefore usually 
stored in software or hardware tokens, and interfaced with 
computers prior to use. 

One such software token is the so-called software wallet, 
in which the private key is encrypted with a password or 
other access-controlled datum. In such software wallets, an 
intruder is not deterred from repeatedly trying passwords, in 
an exhaustive manner, until he recovers the private key. This 
poses analogous security risks to the simple password 
schemes described above. In addition, the software wallet is 
stored on a user's computer, which may be inconvenient if 
the user needs to freely roam from one location to another. 

In contrast to software wallets, hardware tokens such as 
smart cards are more secure, and can be conveniently carried 
as the user roams. In a typical hardware smart card, the 
private key is stored in hardware, and protected by a 
watchdog chip that allows the user to access the private key, 
should he enter the correct password that unlocks the smart 
card. The smart card can even be configured so that, if a 
hacker attempts to guess passwords, the card locks up after 
a small number of successive missed attempts. The disad- 
vantages of hardware token are: (1) roaming is restricted to 
locations where the appropriate token reader hardware is 
installed; (2) hardware tokens are expensive in contrast to 
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software tokens; (3) hardware tokens must be physically 
carried wherever the user wishes to roam; and (4) hardware 
tokens are often lost, misplaced, or stolen. 
Thus, while hardware token systems offer increased 
5 security, they have several disadvantages compared to soft- 
ware based systems. It would, therefore, be desirable to have 
a system that combines the best features of both hardware 
and software based systems. 

SUMMARY OF THE INVENTION 
10 The present invention discloses a method and apparatus 
for the on-demand delivery of authentication credentials to 
roaming users. Credentials arc stored, delivered and trans- 
, mitted in software, obviating the need for additional hard- 
ware. In a basic embodiment of the system, a user can 
15 demand his credential at will, upon providing proof of 
identity in the form of shared secretes) that he has previously 
escrowed with the credential server. The shared secret may 
be chosen by the user, and could be easily remembered 
secrets such as: mother's maiden name, third grade teacher, 
20 etc. The user will respond to challenges from the server via 
a challenge-response protocol, with the server demanding 
correct answers to such questions prior to releasing the 
user's credentials. In another embodiment of the invention, 
a user's authentication credential can be stored on the server 
25 protected by a simple shared secret scheme such as a 
password, a biometric authentication scheme based on a 
fingerprint or retinal image, or a one-to-one hashed shared 
secret. In yet another embodiment of the invention, the user 
interacts with the server via a cryptographically camou- 
30 flaged challenge- response protocol. In particular, if the user 
responds correctly to the server's challenges, the user will 
receive his authentication credentials. However, if the user 
responds incorrectly, such as might be the case with a hacker 
trying to break the system, the user will receive plausible 
35 and well- formed but invalid credentials. Furthermore, the 
authentication credential itself could be encrypted or cam- 
ouflaged with an additional secret that is known only to the 
user. An authentication credential is said to be in crypto- 
graphically camouflaged form when it is embedded among 
40 many pieces of similar (pseudo-valid) data. These data are 
sufficiently different that the user can locate the correct piece 
without any difficulty, using a shared secret that he can 
remember. However, the pieces of data are also sufficiently 
alike that an intruder will find all of them equally plausible. 
45 Such a cryptographically camouflaged authentication cre- 
dential can be provided to the user in either camouflaged or 
decamouflaged form that is, the decamoufl aging can be 
performed at cither the credential server or at the user's 
computer. The various embodiments of the invention 
50 described above provide one or more or the following 
advantages: No additional hardware is required for deploy- 
ment. This is in contrast with hardware tokens such as smart 
cards where cards and card readers need to deployed in a 
widespread fashion. 
55 (1) High user convenience. Roaming users need not carry 
tokens with them, but can demand them as required. 

(2) Low administrative overhead. Users who have lost, 
misplaced or forgotten tokens do not require administrative 
intervention. 

(3) Rapid deployment rate. Soft credentials with roaming 
access can be deployed rapidly, since they are intuitive to 
use and require little user/administrator training. 

(4) Enhanced security over purely one-factor systems. 

BRIEF DESCRIPTION OF THE FIGURES 
FIG. 1 illustrates an exemplary embodiment of the inven- 
tion in which a user accesses a web server to conduct an 
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electronic transaction with a transaction server protected by This on-demand roaming capability is provided by a 

an access control server. Credential Server 160 that downloads the authentication 

FIG. 2 illustrates an exemplary embodiment of a wallet in credential (e.g., private key) to the user at Browser 140 via 

which a private key is protected by a PIN. a software Wallet 150. As used herein, Wallet 150 need only 

FIG. 3 illustrates an exemplary embodiment in which the 5 serve as a basic container for the authentication credential, 

wallet of FIG. 2 is protected by a form of cryptographic As such, it could be considered to be simply the data 

camouflaging. structure in which the authentication credential is embodied, 

DETAILED DESCRIPTION OF THE or h * » m0 " ^P^"^ container having the 

INVENTION capability to handle other user-owned items such as a digital 

10 certificate or digital currency (including, without limitation, 

We now describe various exemplary embodiments of the electronic cash or scrip). In a basic embodiment of the 
invention using the exemplary context of a user operating a invention, Credential Server 160 is embodied as a web 
web browser to access one or more remote server, whereby scrvcr points his Browser 140 to the Credential 
the user can freely roam about the Internet while still Server, which sends the user a challenge in the form of a 
maintaining access to his authentication credential. Those 15 snare d ^ci that has previously been associated with the 
skilled in the art will recognize that the invention is appli- during a set-up phase. This shared secret might be of the 
cable to other client -server environments as well, including following exemplary forms: 
but not limited to databases, medical client stations, and 
financial trading stations. Furthermore, the network envi- 
ronment need not be the Internet, but could be an intranet or 20 



indeed any distributed computer network. Question: Mother's maiden name? Answer: Jones 

Referring now to FIG. 1, a user at Browser 140 wishes to 

access a Web Server 110 to conduct an electronic transac- Question: PIN? Answer: PIN 
tion. Web Server 110 is, in turn, safeguarded by Access 

Control Server 120, which prevents unauthorized access to 25 

Transaction Server 130. For example, Web Server U0 might The actual number of questions can vary from credential 

be a company's home page, Access Control Server 120 server to credential server, as dictated by their respective 

might be a firewall, and Transaction Server 130 might security policies. If the user provides the correct answers), 

contain proprietary company data that the user wishes to Credential Server 160 obtains the user's wallet from a 

access. In yet another example, Access Control Server 120 30 WaUet Database 170 (which may or may not be part of 

might be a membership or credit^ayment verification Credential Server 160) and provides the wallet to the user at 

system, and Transaction Server 130 might be a back-end Browser 140. In an alternative embodiment, the wallet, or a 

shipping/delivery system. Those skilled in the art will apprc- *«eof , could provided direcdy to any of servers 110, 

ciate that any or all of servers 110, 120 and 130 may be 120 & 130 

combined into a single server, that there may be more 35 In either of the foregoing, the wallet could be installed 

additional servers performing other specialized functions, either 1) in the memory space of the software program, 

that any of these servers may be co-located or widely and/or subsequently 2) onto the hard drive or other physical 

distributed, and so forth. Similarly, the electronic transaction memory of the computer. If only the former, the authenti- 

may be of virtually any type including, but not limited to, cation credential would be destroyed when the session is 

secure electronic mail, accessing privileged or confidential 40 ended. If the latter, the authentication credential could be 

information, and purchasing electronic or physical goods or available for use across multiple sessions on that particular 

services. computer. In either event, as the user roams to another 

Before accessing the Transaction Server 130 to perform computer, the process can be repeated to provide on-demand 

the electronic transaction, the user first needs to authenticate access to the needed authentication credential without the 

himself to Access Control Server 120. As mentioned in the as requirement of a physical token (even though the invention 

Background of the Invention, the user typically authenti- also be used in conjunction with a physical token, as 

cates himself by using his private key to perform a crypto- desired). 

graphic operation on a challenge sent by the Access Control The foregoing illustrates the use of so-called shared 

Server 120. This cryptographic operation might be a simple secrets, whereby the user and the server both share copies of 

encryption, a hash followed by encryption (commonly so information required to access the system. Of course, the 

referred to as a digital signature), or still other protocols that invention is not limited to such simple protocols which, by 

are well known to those skilled in the art. Of course, in lower their nature, are subject to abuse by a dishonest server. For 

security applications, the authentication credential might be example, zero knowledge proofs, whereby the user can 

a simple password. Private key, password and other authen- prove to the server that he knows his mother's maiden name 

tication credentials are well known to those skilled in the art, 55 (or other secret information) without actually revealing the 

and need not be described in detail here. For examples name to the server, can also be used. As a simple example, 

thereof, the reader is referred to well-known, standard texts the user's private key itself could be used in this fashion, for 

as Applied Cryptography (Bruce Schncicr, Second Edition, a verifier need only know the corresponding public key to 

1996, pp. 101-112 & 548-549) for details, verify the private key. The principles and implementations 

No matter what the authentication credential or protocol, 60 of zero knowledge proofs are well known to those skilled in 

if the Access Control Server 120 authenticates the user, the the art and need not be described here. The reader is referred 

user is subsequently allowed to access the Transaction to welt-known, standard texts such as Applied 

Server 140. The present invention provides a method and Cryptography, supra, for details. 

apparatus for providing the authentication credential, on In one embodiment of the invention, the wallet might 

demand, to a user who wishes to be able to access servers 65 itself be protected by a shared secret. For example, FIG. 2 

110, 120 and/or 130 from a variety of Browsers 140 (the shows an exemplary embodiment of a wallet in which a 

so-called "roaming user"). private key is protected by a PIN. The PIN (more generally, 
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a shared secret) might be the shared secret transmitted by the will satisfy the hash challenge to open the key wallet. (PINs 
user to the Credential Server 160, as discussed previously, that hash to the same hash value as the correct PIN, 
and the private key (more generally, the authentication including the correct PIN, arc referred to herein as pseudo- 
credential) in the wallet might be decrypted by Credential valid PINs.) For example, if the hash function hashes 
Server 160 and provided in the clear to the user at Browser 5 six-digit codes to two-digit hash values, there will be 10,000 
140. Alternatively, the entire wallet (including the authen- six-digit pseudo-valid PINs that will open the key wallet, out 
tication credential in encrypted form) might be provided to of a total of 1,000,000 possible six-digit codes. Pseudo-valid 
the user, for the user to decrypt locally at Browser 140. With PINs will all be passed to the decryption module 340 to 
cither approach, the process of decrypting the PI N-protectcd decrypt the stored encrypted key to produce a candidate 
authentication credential as follows. The user enters a PIN lQ private key. However, all but one of these candidate private 
200 (more generally, an access code) to unlock the wallet, keys will be incorrect decryptions of the stored (correct) 
and the PIN is passed through a one-to-one hash function private key. Only when the entered PIN is the correct PIN 
210. The hash function may also include a salt value or other will the correct private key be recovered, 
security-enhancing feature, as will be appreciated by per- Preferably, the many-to-one hash function above should 
sons skilled in the art. The hashed value 215 of the entered 15 be chosen to be a good hash. For example, and without 
PIN is compared with a stored hash value 220, which is the limitation, MD5 and SHA are well-known good hash func- 
hashed value of the correct PIN. If the two hash values tions. Good hash functions are one means to substantially 
agree, the PIN is passed to decryption module 240. The uniformly distribute the pseudo-valid PINs in the space of 
private key which has been encrypted (with the correct PIN all possible PINs. For example, consider a hash function 
as the encryption key) and stored in field 230, is decrypted ^ from six-digit codes to two-digit hash values. Of the 1,000, 
by decryption module 240, which is typically DES or some 000 possible input values, 10,000 will be pseudo-valid PINs. 
other cryptographic function such as, for example, triple- If the hash function is a good hash, these values will be 
DES, IDEA or BLO WFISH. Hence, the decrypted private substantially uniformly distributed. In particular, one in a 
key 250 is released for use. hundred PINs will be pseudo-valid, and these will be effee- 
The cryptographic operations of computing the hash(es) ^ tively randomly distributed. Specifically, the chances are 
and decrypting the stored hash may be implemented using Vioo that if the user makes a typographical error in entering 
one or more cryptographic logic (e.g., software or hardware) the correct PIN, then the resulting PIN will be a pseudo- 
modules, and the correct hash value and private key may be valid PIN. 

stored in protected data fields or other forms of memory Another possible embodiment uses a weak hash, i.e., one 

(e.g., read from ROM, from computer-readable media, etc.). 3Q which results in clustering of pseudo-valid PINs, whereby 

A typical key wallet would also include input and output an intruder who guesses one pseudo-valid PIN will more 

logic for receiving candidate PINs and oulputting decrypted easily find others. A legitimate user making a scries of 

private keys, as well as logic for management, viewing, I -digit typographical errors would also get a sequence of 

copying, and handling of keys and other data. pseudo-valid PINs and, if the system accepting the private 

The one-to-one nature of the hash function ensures that 35 key or messages encrypted thereby has an alarm -or-disablc- 

the correct PIN and only the correct PIN will unlock the key upon-repcatcd-failure feature, this would inadvertently lock 

wallet. Unfortunately, it also allows a malicious hacker to out the legitimate user Thus a weak hash is typically 

guess the complete PIN via a brute force search. For disfavored over the good hash. Nevertheless, there may be 

example, he might write a program that simply checks all some applications where a weak hash provides certain 

six-digit PIN codes on the key wallet. If he gets a copy of 40 characteristics such as computational efficiency and ease of 

the key wallet, he can carry out this attack on his computer, implementation that are advantageous for specialized appli- 

completely undetected and in an automated fashion, in a cations. 

matter of a few minutes. The foregoing paragraphs describes techniques for further 
To resist the PIN hash attack, another embodiment of the protecting the wallet, either with a one-to-one or many-to- 
invention uses a technique called cryptographic camouflag- 45 one hash. It will be appreciated by those skilled in the art that 
ing to provide even greater security in connection with the the decryption processes 200-250 and 300-350 (e.g., cryp- 
authentication credential. Cryptographic camouflaging is tographic decamouflaging) may be performed at either the 
described is summary form below with respect to FIG. 3; for user's computer or at the Credential Server 160. In the 
full details, the reader may refer to co-pending U.S. patent former case, the wallet is downloaded to the user in 
application Ser. No. 08/996,758, which is incorporated 50 decrypted form, while in the latter, the wallet is decrypted at 
herein by reference. the Credential Server 160 before downloading to the user. 

Referring now to FIG. 3, the authentication credential More generally, it will also be appreciated that the various 

(e.g., private key) is protected via an access code as in FIG. challenge-response protocols described to this point (e.g., 

2. However, the one-to-one hash is replaced with a many- the simple shared secret; the biometric method such as 

to-one hash, i.e., a hash in which many inputs produce (i.e., 55 fingerprint recognition; the one-to-one hashed secret of FIG. 

regenerate) the same hashed output. In an exemplary 2; and the many-to-one hashed secret of FIG. 3) can be used 

implementation, the raany-to-one hash function 310 might at either the Credential Server 160 or at Browser 140, and 

hash six -digit codes to two-digit hash values. As in the that such use can occur in any combination or permutation, 

conventional key wallet, the hashed value 315 of the entered For example, with minimal security, the Credential Server 

PIN 300 is compared with the stored hash value 320, which 60 160 could be accessed by a simple shared secret, and the 

is the hashed value of the correct PIN. If the two hash values wallet could be downloaded to the user in the clear, 

agree, the key wallet opens. The private key is again stored Alternatively, the wallet could be further protected by a 

encrypted in field 330 of the key wallet, with the correct PIN one-to-one or many-to-one (i.e., cryptographically 

as the encryption key. When the correct PIN is entered, the camouflaged) hashed shared secret and decrypted at the 

stored encrypted key is decrypted and the correct private key 65 Credential Server in response to the user's responding to the 

350 is released for use. However, since the hash function is appropriate challenge-response protocol The decrypted (or, 

many-to-one, there will be many different entered PINs that in the case of the many-to-one hash, the decamouflaged) 
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wallet would then be downloaded to the user in the clear. For (ii) verifying that said candidate access code belongs to a 

greater security, the wallet could be downloaded to the user family of pseudo-valid responses; and 

in camouflaged form, with the decamouflaging occurring at ( u i) using said pseudo-valid candidate access code to 

the user's computer. For still greater security, a one-to-one decrypt said stored authentication credential. 

or many-to-one hash process could replace the simple shared 5 12. The method of claim 11 where said pseudo-valid 

secret for the initial server access. Id general, then, the responses have the characteristic of being hashable to the 

one-to-one hash or many-to-one hash could be deployed at same output as said access code. 

the initial server access stage, while any of the simple shared 13. The method of claim 12 where said authentication 

secret, one-to-one bash, many-to-one hash techniques could credential includes a private key of said requestor, 

be employed at the subsequent wallet downloading stage, to 14. The method of claim 10 where said authentication 

Because of these and other variations that will be understood credential includes a secret credential of said requestor, 

to those skilled in the art, it is therefore intended that the 15. The method of claim 10 further comprising the steps 

scope of the invention be not limited to the particular of: 

embodiments disclosed herein, but rather to the full breadth ( c ) authentication credential to conduct said 

of the claims appended hereto. 15 electronic transaction; and 

What is claimed is: /q deleting said credential from said requestor's comput- 

1. A computer-implemented method for obtaining, in a • device. 

networked environment, an authentication credential usable 16 ^ method of claim x where ^ challenge and said 

to conduct an electronic transaction, comprising: response are members of a zero knowledge proof protocol. 

(a) accessing, over a network, a server to request there- 20 n ^ mclnod of ciaim x wncrc ^ steps (b) and (c) are 
from a predetermined authentication credential, said p art 0 f a cryptographic camouflage challenge-response pro- 
authentication credential: tocol. 

(i) in existence at said server prior to said request jb c mct hod of claim 1 further comprising download- 
therefor, ing a digital currency from said server along with said 

(ii) uniquely identifying a requestor thereof, and 25 aut hcntication credential. 

(iii) suitable for use in conducting an electronic trans- jq An apparatus for obtaining, in a networked 
action; environment, an authentication credential usable to conduct 

(b) receiving, from said server, a challenge soliciting a an electronic transaction, comprising: 
predetermined response associated with a holder of said ^ a ne twork interface configured to: 
authentication credential; (i) access, over a network, a server to request therefrom 

(c) transmitting an answer to said challenge; and a predetermined authentication credential, said 

(d) in response to a determination by said server that said authentication credential: 

answer satisfies said challenge, receiving said authen- (A) in existence at said server prior to said request 

tication credential from said server; 35 therefor, 

said method being operable in a repcatable, on-demand (B) uniquely identifying a requestor thereof, and 

manner by said requestor from a plurality of requestor (C) suitable for use in conducting an electronic 

locations. transaction, and 

2. The method of claim 1 where said authentication (ii) receive, from the server, a challenge soliciting a 
credential includes a secret credential of said requestor. predetermined response associated with said 

3. The method of claim 2 where said secret credential is requestor of said authentication credential; 

a private key. (b) an user interface configured to receive, from said 

4. The method of claim 2 further comprising: requestor, an answer to said challenge; 

(e) using said authentication credential to conduct said ( c ) network interface configured to receive said 
electronic transaction; and 45 authentication credential in response to a determination 

(f) deleting said credential from said requestor's comput- by said server that said answer satisfies said challenge; 
ing device. and 

5. The method of claim 2 where said requestor's com- (d) a memory configured to store said authentication 
puting device includes a web browser, and said network is credential at said requestor's computing device; 

a distributed computer network. 50 said apparatus being usable by said requestor to obtain 

6. The method of claim 2 where said requestor's com- repeated, on-demand access from a plurality of requestor 
puting device includes a digital wallet. locations. 

7. The method of claim 2 where said response includes a 20. The apparatus of claim 19 where in said authentication 
shared secret between said server and said requestor. credential includes a secret credential of said requestor. 

8. The method of claim 1 further comprising: S5 21. The apparatus of claim 20 wherein said secret cre- 

(e) using said authentication credential to conduct said dential is a private key. 

electronic transaction; and 22. The apparatus of claim 19 configured for use as a web 

(f) deleting said credential from said requestor's comput- browser, and wherein said network is a distributed computer 
ing device. network. 

9. The method of claim 8 where said authentication <so 23. The apparatus of claim 19 configured for use as a 
credential includes a private key of said requestor. digital wallet 

10. The mcthod of claim 1 where said received authen- 24. The apparatus of claim 19 wherein said server is 
tication credential is in cryptographically camouflaged form. configured to store said authentication credential in crypto- 

11. The method of claim 10 where said authentication graphically camouflaged form, 
credential is encrypted under an access code, and further 65 25. The apparatus of claim 24 wherein: 
comprising: (0 authentication credential is encrypted under an 

(i) receiving from said requestor a candidate access code; access code; 
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(ii) said user interface is configured to receive, from said 40. The method of claim 36 where said authentication 
requestor, a candidate access code; and credential includes a secret credential of said requestor. 

(iii) further comprising cryptographic logic configured to: 41. The method of claim 36 where said step (e) includes 

(iv) verify that said candidate access code belongs to a transmitting said authentication credential to said requestor 
family of pseudo-valid responses; and 5 & cryptographically camouflaged form for cryptographic 

(v) usesaidpscudo-validc^^^ ^T^^ft^^L 

K 'said stored authentication credential. < 2 ™ c mcthod of *™ ^^c,m^u a ^M 

26. The apparatus of claim 25 wherein said pseudo-valid digital currency to said requestor along with said authcnti- 
responses have the characteristic of being hashable to the <** oa credential. 

same output as said access code. 43. An apparatus for providing, in a networked 

27. The apparatus of claim 26 wherein said authentication environment, an authentication credential usable to conduct 
credential includes a private key of said requestor an electronic transaction, comprising: 

28. The apparatus of claim 19 wherein said challenge and ( a ) a network interface configured to: 

said predetermined response are part of a cryptographic 15 ^ receive from a requestor, over a network, a request 

camouflage challenge-response protocol. f or a predetermined authentication credential, said 

29. The apparatus of claim 24 wherein said authentication authentication credential: 

credential includes a secret credential of said requestor. ^ m ^^nce at said apparatus prior to said 

30. A computer-implemented method for providing, in a request therefor- 
networked environment, an authentication credential usable m (B) uniqudy a^ying a requestor thereof; and 
to conduct an electronic transaction, comprising: (c) suiub , e for ^ m OTnducting M electronic 

(a) receiving from a requestor, over a network, a request transaction, 

for a predetermined authentication credential, said ^ transmit a change soliciting a predetermined 

authentication credential: response associated with said requestor, and 

(i) in existence at said server prior to said request ^ from ^ ^ &ds ^ ^ ^ ^ 

therefor, lenec* 

(ii) uniquely identifying a requestor thereof, and ^ * 

(iii) suitable for use in conducting an electronic trans- 0>) logic configured to determine whether said answer 
action- satisfies said challenge; and 

(b) transmitting, to said requestor, a challenge soliciting a 30 (c) a memory configured to store said authentication 
predetermined response associated with said requestor; credential to be released for said requestor, 

(c) receiving an answer to said challenge; said apparatus being operable to process repeated, 

(d) determining that said answer satisfies said challenge; on-demand authentication credential requests by said 
anc j requestor at a plurality of requestor locations. 

(e) transmitting said authentication credential for said 44. The apparatus of claim 43 wherein said authentication 
requestor; credential includes a secret credential of said requestor. 

said method being operable to process repeated, on-demand 45. The apparatus of claim 44 wherein said secret cre- 

authentication credential requests by said requestor at a dential is a private key. 

plurality of requestor locations. ^ 46 apparatus of claim 44 wherein said response 

31. The method of claim 30 where said authentication mcludes a share d secret between said server and said 
credential includes a secret credential of said requestor. requestor. 

32. The method of claim 31 where said secret credential * a f , . , 

j*. iuc lutujvju ui ^laim 47. The apparatus of claim 43 wherein said server is 

K ii' r ™ ale T j e , - « u a ,i . configured to store said authentication credential in crypto- 

33. The method of claim 31 where said requestor is at a - * a . , /r 
, ; , . . . , .J.,, A „,„ 45 graphically camouflaged form. 

web browser, and said network is a distributed computer 6 * . , , 4 . 

network apparatus of claim 47 wherein said authentication 

34 The method of claim 31 where said transmitting is to credential is encrypted under an access code, and where said 

a digital wallet of said requestor. l °g ic t0 determine whether said answer satisfies said chal- 

35. The method of claim 31 where said response includes 5Q knge includes: 

a shared secret between said server and said requestor. (i) cryptographic logic for verifying that said answer 

36. The method of claim 30 where said server is config- belongs to a family of pseudo-valid responses; and 
ured to store said authentication credential in cryptographi- ^ cryptographic logic for using said answer to decrypt 
cally camouflaged form. sa id store d authentication credential. 

37. The method of claim 36 where said authentication 55 49 Jhe apparalus of c i aim 4$ wnere said pseudo-valid 
credential is encrypted under an access code, and where said reS ponses have the characteristic of being hashable to the 
determining that said answer satisfies said challenge same outpul as sa tf access code. 

includes: 50 The appar atus of claim 49 where said authentication 

(i) verifying that said answer belongs to a family of credential includes a private key of said requestor, 
pseudo-valid responses; and 60 51. The apparatus of claim 47 wherein said network 

(ii) using said response to decrypt said stored authentica- interface is configured to release said authentication creden- 
tion credential. tial to said requestor in cryptographically camouflaged form 

38. The method of claim 37 where said pseudo-valid for cryptographic decamouflaging by said requestor, 
responses have the characteristic of being hashable to the 52. The apparatus of claim 47 wherein said authentication 
same output as said access code. 65 credential includes a secret credential of said user. 

39. The method of claim 38 where said authentication 

credential includes a private key of said requestor. ***** 



